How the Federal Government is Shaping the Standards for Quantum

You are going to hear more and more about Quantum in the coming months and years, more specifically mandates and orders regarding Quantum and Post Quantum Encryption.  The latest estimates are that a viable Quantum Computer which can crack the current encryption algorithms (RSA, Elliptical Curve, Diffie Hellam) could be less than 10 years away and with transition times (from existing solutions to Post Quantum and Quantum solutions) estimated at between 5 and 7 years the Federal government is beginning to take notice of the risks Quantum Computers pose to national security.

At Marion Square we are closely following this space as we believe there will be significant opportunities for both software vendors and services providers to enable Government agencies to make this critical transition to Quantum Resistance Encryption over the next several years.

Driving Federal Agency activity to date are several Government Executive Orders and mandates:

1. White House Executive Order: Migrating to Post-Quantum Cryptography (whitehouse.gov) that Federal agencies begin to develop and execute strategies to move towards Quantum resistant and Quantum proof cryptography.

2. OMB memo M-23-02 M-23-02 (whitehouse.gov) which provide more detailed requirements for Federal Agencies regarding the transition to Post Quantum Encryption.

"This memorandum describes preparatory steps for agencies to undertake as they begin their to PQC by conducting a prioritized inventory of cryptographic systems. Further, this memorandum provides transitional guidance to agencies in the period before PQC standards are finalized by the National Institute of Standards and Technology (NIST), after which OMB will issue further guidance."

3. OMB memo M-23-18 released in June of FY 23 which among other things laid out timelines for reporting and budgeting requirements for FY 25. M-23-18 (whitehouse.gov

"This memorandum outlines the Administration’s cross-agency cybersecurity investment priorities for formulating fiscal year (FY) 2025 Budget submissions to the Office of Management and Budget (OMB), consistent with spring guidance" Agency budgets "should include necessary services and software needed to accurately, and where possible, automatically inventory cryptographic systems and to begin transitioning agencies’ most critical and sensitive networks and systems to post quantum cryptography as directed to do so by OMB"

4. National Security Memo -10 (NSM 10) National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems | The White House

Which states that “the United States must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography, with the goal of mitigating as much of the quantum risk as is feasible by 2035.”

Federal Agencies are in the first phase of the quantum encryption transition, "Inventory" which must be completed by May 4th of this year. (FY24) M-23-02 establishes requirements for agencies to inventory their active cryptographic systems, with a focus on High Value Assets (HVAs) and high impact systems, this process essentially is creating a Cryptographic Bill of Materials or CBOM for the agency. The term “cryptographic system” means an active software or hardware implementation of one or more cryptographic algorithms that provide one or more of the following services: (1) creation and exchange of encryption keys; (2) encrypted connections; or (3) creation and validation of digital signatures.

The current Inventory process is characterised as very manual and spreadsheet based, going forward agencies are required to budget for and implement technology that can automate the inventory process (OMB-MS-23-18) and these inventories will need to adhere to a standard format. Agency Inventories starting this year are to be submitted to CISA and the Office of the National Cyber Director (ONCD) annually through FY 2035.

To complete the requirements for the Inventory phase agencies must also, within 30 days of submission of their Inventory, submit to ONCD and OMB an assessment of the funding required to migrate information systems and assets inventoried under this memorandum to post-quantum cryptography during the following fiscal year.

As agencies begin to grapple with producing their inventories/CBOM and creating budgets for migration, we at Marion Square firmly believe there will be opportunities for software vendors and services providers.

From a software perspective technologies and tools designed to automate the process of inventorying an agencies cryptographic systems is the near term opportunity- again agencies are required to budget for these tools in their FY 25 budgets submissions. Agencies will require services and support to deploy these solutions, map their gaps and risks, and determine budgets for migrating to Quantum Resistance Encryption. Longer term agencies will also need access to Quantum resistant encryption solutions and support to deploy and maintain them.